b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n DHS Needs To Strengthen Information Technology \n\n Continuity and Contingency Planning Capabilities \n\n\n                   REDACTED \n\n\n\n\n\nOIG-13-110                               August 2013 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                             Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n                                     August 28, 2013\n\nMEMORANDUM FOR:              Margaret H. Graves\n                             Acting Chief Information Officer\n                             Department of Homeland Security\n\nFROM:                        Frank Deffer\n                             Assistant Inspector General\n                             Office of Information Technology Audits\n\nSUBJECT:                     DHS Needs To Strengthen Information Technology\n                             Continuity and Contingency Planning Capabilities\n\nAttached for your information is our final report, DHS Needs To Strengthen Information\nTechnology Continuity and Contingency Planning Capabilities. We incorporated the\nformal comments from the Departmental GAO/OIG Liaison Office in the final report.\n\nThe report contains nine recommendations aimed at improving the Office of the Chief\nInformation Officer. Your office concurred with eight recommendations. As prescribed\nby the Department of Homeland Security Directive 077-01, Follow-Up and Resolutions\nfor Office of Inspector General Report Recommendations, within 90 days of the date of\nthis memorandum, please provide our office with a written response that includes your\n(1) agreement or disagreement, (2) corrective action plan, and (3) target completion\ndate for each recommendation. Also, please include responsible parties and any other\nsupporting documentation necessary to inform us about the current status of the\nrecommendation.\n\nPlease email a signed PDF copy of all responses and closeout requests to\nOIGITAuditsFollowup@oig.dhs.gov. Until your response is received and evaluated, the\nrecommendations will be considered open and unresolved.\n\nConsistent with our responsibilities under the Inspector General Act, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibilities over the Department of Homeland Security. We will post\na redacted version of the report on our website.\n\nPlease call me with any questions, or your staff may contact Sharon Huiswoud, Director,\nInformation Systems Division, at (202)-254-5451.\n\nAttachment\n\n\n\n                                              \n\n\x0c                                         OFFICE OF INSPECTOR GENERAL\n                                               Department of Homeland Security\n\n\n   Table of Contents\n   Executive Summary............................................................................................................. 1 \n\n\n   Background ........................................................................................................................ 2 \n\n\n   Results of Audit ................................................................................................................... 4 \n\n\n              Progress Made at the Enterprise Data Centers ...................................................... 4 \n\n\n              Inadequate Continuity Planning Increases Risk That DHS May Not Be Able To\n              Perform Mission Essential Functions ..................................................................... 6\n              Recommendations ................................................................................................. 9\n\n              Inadequate Contingency Planning Increases Risk That DHS May Not Be Able To\n              Restore Enterprise Mission Essential Systems ..................................................... 10\n              Recommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6............... \xe2\x80\xa6..14\n              Management Comments and OIG Analysis\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 ... 15\n\n\n\n\n   Appendixes\n              Appendix A:          Objectives, Scope, and Methodology ............................................ 20 \n\n              Appendix B:          Management Comments to the Draft Report ............................... 21 \n\n              Appendix C:          Disaster Recovery Service Levels\xe2\x80\xa6\xe2\x80\xa6 ............................................ .26 \n\n              Appendix D:          Major Contributors to This Report ................................................ 29 \n\n              Appendix E:          Report Distribution ........................................................................ 30 \n\n\n   Abbreviations\n              ASP                   Alternate Service Provider\n              CBP                   U.S. Customs and Border Protection\n              CSC                   Computer Science Corporation\n              DC1                   Enterprise Data Center 1\n              DC2                   Enterprise Data Center 2\n              DHS                   Department of Homeland Security\n              DR                    disaster recovery\n              EMOC                  Enterprise Management Operations Center\n\n\nwww.oig.dhs.gov                                                                                                                 OIG-13-110\n\x0c                       OFFICE OF INSPECTOR GENERAL\n                          Department of Homeland Security\n\n           EOC      Enterprise Operations Center\n           FIPS     Federal Information Processing Standards\n           HP       Hewlett-Packard\n           IT       information technology\n           NIST     National Institute of Standards and Technology\n           NOC      Network Operations Center\n           OCIO     Office of the Chief Information Officer\n           OIG      Office of Inspector General\n           OneNet   DHS One Network\n           OPS      Office of Operations Coordination and Planning\n           SOC      Security Operations Center\n           SP       Service Provider\n\n\n\n\nwww.oig.dhs.gov                                                      OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n   Executive Summary\n   The Department of Homeland Security\xe2\x80\x99s (DHS) ability to perform mission essential functions\n   continuously rests upon the availability and integrity of its mission essential systems and\n   critical communications assets. We conducted an audit of the efforts undertaken by the\n   Department\xe2\x80\x99s Office of the Chief Information Officer to implement and maintain continuity\n   of operations and disaster recovery and contingency planning capabilities. The objective of\n   our audit was to determine the progress that the Office of the Chief Information Officer has\n   made in carrying out its continuity planning roles and developing contingency planning\n   strategies for routine backup of critical data, programs, documentation, and personnel for\n   recovery after an interruption.\n\n   Generally, DHS has made progress toward implementing effective disaster recovery\n   capabilities at the Department\xe2\x80\x99s two enterprise data centers. Specifically, it has established\n   a list of disaster recovery services that DHS components can procure for their systems.\n   Additionally, the enterprise data centers now have disaster recovery enclaves that provide\n   backup capabilities that allow continued minimum operations in the event of a disaster.\n\n   Although DHS has strengthened its disaster recovery capabilities at the Enterprise Data\n   Centers, more work is needed. For example, the Office of the Chief Information Officer\xe2\x80\x99s\n   inadequate continuity and contingency planning increases the risk that the Department may\n   not be able to respond effectively in case of an emergency or disaster. Specifically, the\n   Department does not have a headquarters information technology disaster recovery plan\n   that details the transition of its headquarters critical information systems and\n   communication assets from the primary site to the alternate site. Also, the Office of the\n   Chief Information Officer has not established policy that requires mission essential systems\n   to be rated as having \xe2\x80\x9chigh\xe2\x80\x9d criticality in accordance with the National Institute of Standards\n   and Technology\xe2\x80\x99s Federal Information Processing Standards Publication 199. Finally,\n   because of contingency planning weaknesses, all seven of the Department\xe2\x80\x99s enterprise\n   mission essential systems that we reviewed are at risk of not having capabilities to react to\n   emergency events, to restore essential business functions if a disruption occurs, and to\n   resume normal operations.\n\n   We are making nine recommendations to the Office of the Chief Information Officer to\n   improve the Department\xe2\x80\x99s information technology continuity planning and its\n   development of contingency strategies. The Chief Information Officer concurred with\n   eight recommendations and has begun to take actions to implement them. The\n   Department\xe2\x80\x99s responses are summarized and evaluated in the body of this report and\n   included, in their entirety, as appendix B.\n\n                                               1\n\nwww.oig.dhs.gov                                                                         OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n   Background\n\n   The lessons learned from such catastrophic events as the attacks of\n   September 11, 2001, Hurricane Katrina in 2005, and Hurricane Sandy in 2012,\n   demonstrate the need to incorporate continuity as a good business practice into day-to\xc2\xad\n   day planning, in order to reduce vulnerability and ensure resilience. An organization\xe2\x80\x99s\n   resilience is the ability to resist, absorb, recover from, report, or successfully adapt to\n   adversity or a change in conditions and is directly related to the effectiveness of its\n   continuity capability.\n\n   On May 9, 2007, National Security Presidential Directive-51/Homeland Security\n   Presidential Directive-20 (National Continuity Policy) was issued to establish a\n   comprehensive national policy on continuity for Federal Government structures and\n   operations. National Essential Functions and continuity requirements were prescribed\n   for all executive departments and agencies. DHS adopted the National Continuity Policy\n   concept and has taken steps to implement it within the Department. It also has a\n   responsibility to maintain mission essential operations for undisrupted security and\n   service to the United States and its citizens.\n\n   The DHS Secretary delegated to the DHS Office of Operations Coordination and Planning\n   (OPS) responsibilities for leading and administering the Department\xe2\x80\x99s continuity\n   program and Department-wide mission assurance activities. These responsibilities\n   include developing and maintaining Department-wide continuity planning documents\n   such as the DHS Continuity Plan, and the DHS Headquarters Continuity of Operations\n   Plan. DHS OPS was also given the authority to ensure emergency preparedness within\n   the Department by working, in coordination with the Under Secretary for Management\n   and Offices and Component Heads, to ensure that plans and procedures exist for\n   identifying, prioritizing, assessing, and protecting the Department\xe2\x80\x99s critical\n   infrastructure and key resources.\n\n   OPS issued the DHS Continuity Plan to provide instructions to the Department and its\n   components on how to continue mission essential functions during national security\n   emergencies. The DHS Continuity Plan follows the National Security Presidential\n   Directive-51 /Homeland Security Presidential Directive-20 and Federal Continuity\n   Directives.1 DHS has written the Federal Continuity Directives to provide operational\n\n\n   1\n    The Federal Continuity Directives include Federal Continuity Directive 1\xe2\x80\x94Federal Executive Branch\n   National Continuity Program and Requirements, February 2008 (updated version October 2012); and\n\n                                                      2\n\nwww.oig.dhs.gov                                                                                    OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n   guidance to Federal agencies on implementing the principles for the National Continuity\n   Policy.\n\n   OPS also developed the DHS Headquarters Continuity of Operations Plan that specifies\n   DHS policy and provides directions for the orderly relocation of headquarters personnel\n   and continuation of headquarters essential functions at the continuity facilities, for up\n   to 30 days, or until normal operations resume. The initiation of the Continuity of\n   Operations Plan and procedures may be required to support any event that renders DHS\n   operating capabilities inaccessible, unsafe, or otherwise unable to support mission\n   requirements. The plan is important to ensure the continued performance by the\n   Department and components in the event of a full range of potential emergencies and\n   impactful events.\n\n   By exercising its authority, the DHS OPS assigned several key responsibilities to the\n   Office of the Chief Information Officer (OCIO). The DHS OCIO\xe2\x80\x99s mission is to develop\n   and maintain the single DHS-wide information technology (IT) infrastructure\n   environment. DHS\xe2\x80\x99 IT and communication infrastructure is a crucial asset that must be\n   strategically developed and deployed to support restoration and the continuity of\n   operations plan in the event of man-made or natural disasters.\n\n   OCIO is responsible for the Department\xe2\x80\x99s mission essential function of ensuring an\n   enterprise-level availability of IT infrastructure, mission essential systems, and\n   communication at all levels of classification. OCIO is required to perform a business\n   impact analysis to support its mission essential function. The OPS\xe2\x80\x99 Headquarters\n   Continuity of Operations Plan defines business impact analysis as a risk method of\n   identifying the effects of failing to perform a mission essential function or business\n   requirement. The Headquarters Continuity of Operations Plan also directed the OCIO to\n   develop the Headquarters IT Disaster Recovery Plan, which should include details of the\n   transition of all DHS Headquarters Continuity of Operations Plan critical\n   telecommunication and information systems from the Headquarters location to an\n   alternate facility. Other key OCIO responsibilities are to identify mission essential\n   systems and ensure the availability and integrity of the systems for use during a\n   continuity of operations plan event. Mission essential systems include IT systems,\n   databases, and financial management systems. A complete listing of mission essential\n   systems should be included in the Headquarters Continuity of Operations Plan. OCIO is\n   also responsible for informing DHS Senior Management on the status of\n   telecommunications and information systems.\n\n\n   Federal Continuity Directive 2\xe2\x80\x94Federal Executive Branch Mission Essential Function and Primary Mission\n   Essential Function Identification and Submission Process, February 2008.\n\n                                                      3\nwww.oig.dhs.gov                                                                                    OIG-13-110\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n   Contingency planning for information systems is also part of an overall organizational\n   program for achieving continuity of operations for mission operations. Contingency\n   planning addresses both information system restoration and implementation of\n   alternative mission processes when systems are compromised.\n\n   We have previously reported on DHS IT contingency planning. Specifically, in May 2005,\n   we reported that DHS IT disaster recovery sites were not prepared to prevent service\n   disruptions. 2 Specifically, 15 of the 19 (79 percent) facilities reviewed did not have a\n   recovery site or the recovery site was not fully operational. We noted that these\n   problems with disaster recovery are occurring in part because DHS did not have a\n   program to provide an enterprise-wide disaster recovery solution. Additionally, in April\n   2009, we reported that while the Department had strengthened its disaster recovery\n   planning, more work needed to be done.3 We reported that the two new data centers\n   need interconnecting circuits and redundant hardware for backup capabilities for each\n   other.\n\n   Results of Audit\n\n           Progress Made at the Enterprise Data Centers\n\n           DHS has taken a number of steps to implement IT disaster recovery capabilities\n           at the enterprise data centers since our last report in April 2009. Specifically, the\n           OCIO established eight levels of disaster recovery capabilities for IT systems\n           residing within the enterprise data centers. Additionally, the OCIO has set up\n           disaster recovery enclaves to provide backup capabilities for each data center.\n           With these enhancements to the enterprise data centers, OCIO has provided the\n           components with additional options for disaster recovery services.\n\n           Enterprise Data Center Disaster Recovery Services\n\n           The enterprise data centers offer eight disaster recovery services levels for all\n           component and DHS enterprise systems. From the centers, OCIO can offer\n           components a wide range of services, including tape backups stored at offsite\n           facilities or tape backups created using electronic vaulting services. OCIO can\n           provide complete failover services, which is the automatic ability to move\n           operations to a redundant backup system. For a complete list of services, see\n\n   2\n     Disaster Recovery Planning for DHS Information Systems Needs Improvement (Redacted), OIG-05-22, \n\n   May 2005.\n\n   3\n     DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems, OIG-09-60, April 2009.\n\n\n                                                     4\n\nwww.oig.dhs.gov                                                                                   OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n               appendix C. DHS components that have information systems at either of the two\n               enterprise data centers can procure recovery services from OCIO through the\n               OCIO IT Services and Hardware Catalog, Volume 9, Summer 2012.\n\n\n               Enterprise Data Center Enclaves\n\n               In our April 2009 report, we noted that the enterprise data centers needed\n               connectivity to ensure backup capabilities for each other. 4 Specifically, we\n               reported that the necessary telecommunications equipment and circuits were\n               not in place to transmit data from one site to the other for backup purposes.\n               Without the necessary connectivity between the two data centers, DHS might\n               not be able to backup and restore mission critical systems within users\xe2\x80\x99 required\n               time frames.\n\n               To address this issue, DHS established the disaster recovery (DR) enclaves. These\n               enclaves are composed of\n\n\n\n\n   4\n       Ibid.\n\n                                                   5\n\nwww.oig.dhs.gov                                                                           OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n                          Figure 1.\n\n\n\n\n\n           Inadequate Continuity Planning Increases Risk That DHS May Not Be Able To\n           Perform Mission Essential Functions\n\n           DHS needs to conduct sufficient IT continuity planning to ensure that it can\n           perform essential mission functions in a natural, man-made, or cyber disaster.\n           Specifically, OCIO has not prepared a Headquarters Information Technology\n           Disaster Recovery Plan to transition its headquarters critical information systems\n           and communication assets from the primary location to the alternate site.\n           Additionally, OCIO did not develop a business impact analysis to identify its\n           mission essential function. Also, OCIO did not establish policy for the\n           Department and components to use to identify critical information assets and\n           mission essential systems. Finally, OCIO needs to monitor mission essential\n           systems disaster capabilities and the usage of enterprise data center recovery\n           services. Without adequate continuity planning, DHS is at increased risk that a\n           catastrophic event could render the organization unable to perform mission\n           essential functions.\n\n           Headquarters Information Technology Disaster Recovery Plan\n\n           DHS should have a Headquarters Information Technology Disaster Recovery Plan\n           for transitioning its headquarters critical information systems and\n           communication assets from its primary location to the alternate location during\n           a natural, man-made, or cyber disaster. Such a plan, as required by the DHS\n           Headquarters Continuity of Operations Plan, dated June 4, 2012, should be\n           designed to restore operability of mission critical systems, applications, or\n\n\n                                               6\n\nwww.oig.dhs.gov                                                                        OIG-13-110\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n           computer facility infrastructures at an alternate site after a disaster. According\n           to an official from the DHS OCIO, OCIO has not developed a Headquarters\n           Information Technology Disaster Recovery Plan because the OCIO currently does\n           not have the resources to develop the plan.\n\n           An IT disaster recovery plan is a major component under continuity planning\n           guidance. According to the National Institute of Standards and Technology\n           (NIST) Special Publication 800-34 Revision 1, Contingency Planning Guide for\n           Federal Information Systems, a disaster recovery plan is an information system-\n           focused plan designed to restore operability of the target system, application, or\n           computer facility infrastructure at an alternative site after an emergency. In a\n           disaster recovery plan, best practices require organizations to\xe2\x80\x94\n\n               \xe2\x80\xa2\t Establish a planning group with people who understand the business\n                  processes, technologies, networks and systems;\n               \xe2\x80\xa2\t Perform risk assessments and business impact analyses;\n               \xe2\x80\xa2\t Establish priority levels for business processes, applications, systems and\n                  networks;\n               \xe2\x80\xa2\t Develop recovery strategies; and\n               \xe2\x80\xa2\t Document and implement the plan.\n\n           Without a Headquarters Information Technology Disaster Recovery Plan and\n           process in place, DHS OCIO has not been able to identify the risks to its\n           operations and mitigate the consequences to a level acceptable to senior\n           management.\n\n           Business Impact Analysis\n\n           DHS OCIO needs to develop a business impact analysis to identify its mission\n           essential function, which will ensure the availability of the DHS\xe2\x80\x99 IT infrastructure,\n           mission critical systems, and communications assets. The business impact\n           analysis should identify relationships, interdependencies, and mitigation\n           strategies to support a mission essential function. According to the DHS\n           Continuity Plan, a business impact analysis should be conducted every 2 years in\n           accordance with the Federal Continuity Directive 2 guidelines and\n           requirements. 5 According to OCIO staff, they have not conducted these analyses\n           because of resource and staffing limitations.\n\n\n   5\n    Federal Continuity Directive 2\xe2\x80\x94Federal Executive Branch Mission Essential Function and Primary Mission\n   Essential Function Identification and Submission Process, February 2008.\n\n                                                     7\n\nwww.oig.dhs.gov\t                                                                                   OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n           The DHS Continuity Plan specifies that the business impact analysis is the\n           primary method for determining and managing risk. A business impact analysis\n           is the first source for determining resiliency and contingency planning strategies.\n           The results of this analysis determine how critical the system is to the supported\n           mission/business processes, what effect the loss of the system could have on the\n           organization, and the objective of system recovery time. The business impact\n           analysis also determines the type and frequency of backup, the need for\n           redundancy or mirroring of data, and the type of alternate site needed to meet\n           system recovery objectives. Without the required business impact analysis, DHS\n           OCIO may not have an effective risk management process to identify threats and\n           vulnerabilities that impact mission essential systems during a disaster.\n\n           Mission Essential Systems\n\n           OCIO needs to strengthen its approach to assessing and monitoring the\n           Department\xe2\x80\x99s mission essential systems. Specifically, OCIO needs to ensure that\n           all DHS mission essential systems are rated as \xe2\x80\x9chigh\xe2\x80\x9d under the availability\n           security objective in accordance with NIST Federal Information Processing\n           Standards Publication (FIPS) 199. 6 NIST FIPS 199 provides three systems security\n           levels so that organizations can rate their systems high, moderate, or low. Under\n           the high level, any loss or disruption of a mission essential system could have a\n           severe or catastrophic effect on the Department. We determined that some\n           DHS enterprise mission essential systems were rated at the moderate level.\n           Because mission essential systems must, by definition, remain available during\n           an emergency or a disaster, components should be rating them as high.\n\n           Also, DHS OCIO needs to establish and implement processes to monitor the\n           availability of all DHS mission essential systems. According to the OCIO\xe2\x80\x99s\n           Information Technology Resilience Plan dated September 13, 2012, DHS has 234\n           mission essential systems. The DHS Secretary has assigned the responsibility of\n           monitoring the availability of the mission essential systems to the DHS OCIO.\n           These responsibilities include monitoring these systems to ensure that they are\n           available and have the necessary disaster recovery services in the event of a\n           disaster. OCIO staff informed us they have not instituted oversight and\n           monitoring procedures for IT disaster recovery services because of resource and\n           staffing limitations.\n\n\n   6\n    NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems,\n   February 2004, pages 2\xe2\x80\x933.\n\n                                                      8\n\nwww.oig.dhs.gov                                                                                     OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           Data Center Disaster Recovery Services\n\n           DHS components need to make better use of the disaster recovery services that\n           OCIO provides through its enterprise data centers. Currently, 19 out of 234 DHS\n           mission essential systems rely on disaster recovery services provided through the\n           enterprise data centers platform. The DHS OCIO offers eight disaster recovery\n           services levels in its OCIO IT Services and Hardware Catalog, Volume 9, Summer\n           2012 (see appendix C). These services are available for components to purchase\n           through OCIO for all IT systems that are located at OCIO enterprise data centers.\n           These types of services are crucial to ensure that DHS mission essential systems\n           are successfully maintained and restored in the event of a disaster. Without\n           these services, there is increased risk that the services needed to maintain DHS\n           mission essential systems may not be available in the event of a disaster.\n\n           Recommendations\n\n           We recommend that the Chief Information Officer:\n\n           Recommendation #1:\n\n           Develop a Headquarters Information Technology Disaster Recovery Plan for the\n           transition of its headquarters critical information systems and communications\n           assets from its primary location to the alternate location, as instructed in the\n           DHS Continuity of Operations Plan.\n\n           Recommendation #2:\n\n           Perform a business impact analysis of the Office of the Chief Information\n           Officer\xe2\x80\x99s mission essential function and update the plan every 2 years in\n           accordance with Federal Continuity Directive 2.\n\n           Recommendation #3:\n\n           Develop policies and processes for monitoring the availability of all DHS mission\n           essential systems.\n\n\n\n\n                                               9\n\nwww.oig.dhs.gov                                                                        OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n           Inadequate Contingency Planning Increases Risk That DHS May Not Be Able To\n           Restore Enterprise Mission Essential Systems\n\n           Contingency planning is a systematic approach for identifying what can go wrong\n           in a situation. A system owner should try to identify contingency events and be\n           prepared with plans, strategies, and approaches for avoiding, coping with, or\n           even exploiting them. Our audit included a review of contingency plans for\n           seven DHS enterprise mission essential systems, which are widely used by all\n           DHS components. These seven systems are under the control and supervision of\n           either the DHS OCIO or the U.S. Customs and Border Protection (CBP). The\n           enterprise mission essential systems under the direct control of the DHS OCIO\n           are OneNet, DC1, DC2, Redundant Trusted Internet Connection, and Email as a\n           Service. The enterprise mission essential systems under the control of CBP are\n           the CBP NOC and the CBP SOC. We identified areas for improvement in DHS\xe2\x80\x99\n           contingency planning that may maintain the availability of these seven systems\n           in the event of a disruption.\n\n           NIST Special Publication 800-34 provides guidance for contingency planning for\n           all Federal information systems to mitigate risks. 7 Specifically, DHS enterprise\n           system owners are not\xe2\x80\x94\n\n                    \xe2\x80\xa2        Updating contingency plans on a timely basis;\n                    \xe2\x80\xa2        Preparing business impact analyses for each system;\n                    \xe2\x80\xa2        Maintaining backup data;\n                    \xe2\x80\xa2        Identifying adequate alternate locations for these systems;\n                    \xe2\x80\xa2        Implementing contingency training; or\n                    \xe2\x80\xa2        Performing full failover contingency testing.\n           Without adequate contingency planning, DHS may not have sufficient\n           capabilities to react in an emergency and restore mission essential functions.\n           See table 1 for a summary of our analysis of DHS contingency planning\n           weaknesses for the selected enterprise mission essential systems.\n\n\n\n\n   7\n    NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems,\n   May 2010.\n\n                                                     10\n\nwww.oig.dhs.gov                                                                                     OIG-13-110\n\x0c                                              OFFICE OF INSPECTOR GENERAL\n                                                   Department of Homeland Security\n\n                                                   Table 1: DHS Contingency Planning\n\n                                                           Contingency Planning Requirements\n                                                        Prepare                      Identify    Implement     Perform Full\n                                           Update       Business         Maintain   Adequate    Contingency      Failover\n                                         Contingency     Impact          Backup     Alternate   Training for   Contingency\n                                            Plans       Analysis          Data      Locations     Personnel      Testing\n                        OneNet               No            No              No          Yes           No        No (partial)\n                        DHS\n   Enterprise Mission\n   Essential Systems\n\n\n\n\n                        Redundant\n                        Trusted\n                        Internet\n                        Connection           Yes          No               No         Yes           No         No (partial)\n                        DC 1                 Yes          Yes              Yes        Yes           No             No\n                        DC 2                 Yes          Yes              Yes        Yes           No             No\n                        DHS Email as a\n                        Service              No           Yes              Yes        Yes           No             No\n                        NOC                  No           No               No         No            No             No\n                        SOC                  No           No               No         No            No             No\n\n\n                        We provide further detail on DHS\xe2\x80\x99 enterprise mission essential systems and its\n                        compliance with contingency planning requirements in the following sections.\n\n                        Update Contingency Plans\n\n                        DHS needs to update some of its enterprise mission essential systems\n                        contingency plans. DHS Sensitive Systems Policy Directive 4300A states that\n                        documented formal information system contingency plans should be reviewed,\n                        tested, and exercised at least annually and updated as necessary.8 We reviewed\n                        seven enterprise mission essential systems and identified four that did not have\n                        contingency plans that were revised and updated to reflect the current system\n                        information. For example, the OneNet contingency plan, dated February 2011,\n                        was approximately 18 months old at the completion of our fieldwork. In\n                        addition, the title and date on the cover page for both the NOC and SOC\n                        contingency plans were updated prior to our review but the information within\n                        the plans was incorrect and outdated. Without updated contingency plans, the\n                        DHS OCIO may not have the capability to react effectively to disruptive events.\n\n                        Prepare Business Impact Analyses\n\n                        DHS should develop business impact analyses for all of its enterprise mission\n                        essential systems. Specifically, four of the enterprise mission essential systems\n                        included in our audit did not have business impact analyses prepared. Most DHS\n\n   8\n       DHS Sensitive Systems Policy Directive 4300A, Version 9.1, dated July 17, 2012, Section 3.5.2.e.\n\n                                                                   11\n\nwww.oig.dhs.gov                                                                                                OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n           mission essential functions are supported by several systems. A business impact\n           analysis is required for each system supporting that mission essential function.\n           Per NIST Special Publication 800-34, business impact analysis results determine\n           how critical the system is to the supported mission essential function processes,\n           what effect the loss of the system could have on the organization, and length of\n           the system recovery time. 9 An OCIO official stated that business impact analyses\n           were not prepared because they are not required by the DHS security policy. We\n           agree that the DHS Sensitive Systems Policy Directive 4300A does not require\n           system business impact analyses for contingency planning; however, the policy\n           needs to be updated to comply with NIST Special Publication 800-34 for a\n           system-based business impact analysis. Without the information from a\n           business impact analysis, DHS system owners could be unable to determine the\n           type and frequency of backups, the need for redundancy or mirroring of data, or\n           the type of alternate site needed, to meet their system recovery objectives.\n\n           Maintain Backup Data\n\n           DHS should maintain backup data for all of its enterprise mission essential\n           systems. Specifically, four enterprise mission essential systems do not maintain\n           data backups in a secure offsite location to allow for ready access in a\n           contingency event. According to DHS Sensitive Systems Policy Directive 4300A\n           data backups should be performed on systems regularly. Information security\n           officials stated that these enterprise mission essential systems do not have\n           backup capabilities because of limited or reduced resources, the need for\n           storage area networks, and expired contracts. Without adequate backup\n           capabilities, DHS may not be able to fulfill its mission in the event of a disruption.\n\n           Identify Adequate Alternate Locations\n\n           DHS has not identified adequate alternate facilities for two of its enterprise\n           mission essential systems, NOC and SOC. Specifically, we determined that the\n           site in Florida that DHS chose as an alternate facility for both systems is\n           inadequate to handle the workload if the primary sites should fail. Although the\n           Florida site is a \xe2\x80\x9chot site\xe2\x80\x9d in that it has fully operational equipment and capacity\n           to assume operational control, it does not have sufficient staffing to operate\n           effectively over an extended period. According to NIST Special Publication 800\xc2\xad\n           34, one of the requirements for an alternate \xe2\x80\x9chot site\xe2\x80\x9d is that the site must be\n\n\n   9\n    NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems,\n   May 2010, pages 15\xe2\x80\x9316.\n\n                                                     12\n\nwww.oig.dhs.gov                                                                                     OIG-13-110\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n            able to handle the full workload of the primary site. 10 However, CBP does not\n            have the staffing at the alternate site to handle the workload. In past situations,\n            the smaller staff at the Florida site had to operate on a 24\xc3\x977 schedule until the\n            Virginia site staff could recover. A normal schedule would be an 8-hour day.\n\n            Implement Contingency Training for Personnel\n\n            DHS enterprise mission essential systems owners need to implement rigorous\n            training requirements for all personnel involved in the contingency planning\n            process. Specifically, we determined that all personnel supporting the seven\n            enterprise mission essential systems we reviewed did not receive training in\n            contingency planning. According to DHS Sensitive Systems Policy Directive\n            4300A, the DHS Chief Information Officer should ensure that contingency\n            training is performed in accordance with the systems availability requirements.11\n            DHS is required to identify personnel involved with enterprise mission essential\n            systems and train them in their respective contingency planning roles and\n            responsibilities, and in procedures and logistics.\n\n            Perform Full Failover Contingency Testing\n\n            DHS needs to conduct full failover testing for the seven enterprise mission\n            essential systems we reviewed. The testing demonstrates that the system can\n            be brought to an operational condition at the designated alternate site by\n            following the procedures and instructions described in the contingency plan.\n            According to DHS Sensitive Systems Policy Directive 4300A, a system\xe2\x80\x99s recovery\n            roles, responsibilities, procedures, and logistics in the contingency plan should\n            be used for testing within a year prior to authorization to recover from a\n            simulated contingency event at the alternate processing site.12\n\n            In lieu of full failover testing, DHS conducted tabletop exercises or partial failover\n            exercises for the seven enterprise mission essential systems we reviewed.\n            These exercises were not sufficient, in that they were mostly discussion-based,\n            and did not involve deploying equipment or other resources. A more effective,\n            full testing exercise should be designed to exercise the roles and responsibilities,\n            procedures, and assets, such as communications, emergency notifications, and IT\n            equipment setup. Full testing exercises vary in complexity and scope, from\n            validating specific aspects of a plan to full-scale exercises that address all plan\n\n   10\n      Ibid., page 47. \n\n   11\n      DHS Sensitive Systems Policy Directive 4300A, Version 9.1, dated July 17, 2012, Section 3.5.2.g.\n\n   12\n      Ibid., Section 3.5.2.f.\n\n\n                                                        13\n\nwww.oig.dhs.gov                                                                                           OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n           elements. Without the required full testing exercises, staff might not be able to\n           demonstrate their operational readiness for emergencies in a simulated\n           environment.\n\n           Recommendations\n\n           We recommend that the Chief Information Officer in coordination with CBP\n           officials:\n\n           Recommendation #4:\n\n           Update mission essential systems contingency plans regularly.\n\n           Recommendation #5:\n\n           Prepare business impact analyses for enterprise mission essential systems.\n\n           Recommendation #6:\n\n           Develop and implement a process to maintain backup data for enterprise\n           mission essential systems.\n\n           Recommendation #7:\n\n           Identify and establish adequate alternate facilities for the NOC and SOC.\n\n           Recommendation #8:\n\n           Implement contingency training for enterprise mission essential systems.\n\n           Recommendation #9:\n\n           Perform full failover contingency testing for enterprise mission essential\n           systems.\n\n\n\n\n                                               14\n\nwww.oig.dhs.gov                                                                         OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n           Management Comments and OIG Analysis\n\n           We obtained written comments on a draft of this report from the DHS\n           Government Accountability Office /Office of Inspector General Liaison Office. In\n           the comments, OCIO concurred with recommendations 1\xe2\x80\x938, and non-concurred\n           with recommendation nine. In addition, OCIO expressed concern with several of\n           the conclusions presented in the report.\n\n           Specifically, OCIO stated that it does not agree with our overall assessment that\n           \xe2\x80\x9cinadequate continuity and contingency planning leaves the Department\n           vulnerable in the event of an emergency.\xe2\x80\x9d OCIO states that it is concerned that\n           we \xe2\x80\x9cdid not appropriately consider the many IT disaster recovery capabilities,\n           documentation, and testing that, when taken together, comprise a robust\n           disaster recovery capability.\xe2\x80\x9d OCIO cites as examples certain IT services, such as\n           the DHS Emergency Response Group staff, and DHS Devolution capabilities.\n           OCIO notes that these capabilities are tested during all National Level Exercises.\n\n           We agree that we did not discuss in detail these areas, because they were not\n           within the scope of this audit. Rather, our objective was to determine the\n           OCIO\xe2\x80\x99s progress in carrying out its continuity planning roles and developing\n           contingency planning strategies for routine backup of critical data, programs,\n           documentation, and personnel for recovery after an interruption. We reviewed\n           documentation related to Continuity of Operations Plan-designated roles and\n           responsibilities for the OCIO but not for other DHS Headquarters offices.\n           Nonetheless, we have revised the language in this section to state that\n           \xe2\x80\x9cinadequate continuity and contingency planning increases the risk\xe2\x80\x9d that the\n           Department may not be able to respond effectively in case of an emergency or\n           disaster.\n\n           OCIO also states in the comments that it disagrees with our suggestion that all\n           DHS mission essential systems availability ratings be changed to \xe2\x80\x9chigh,\xe2\x80\x9d in that\n           this would conflict with DHS policy. We do not agree with the OCIO in this\n           regard. We state in our report that several of the identified mission essential\n           systems were rated at a moderate level, which would not always ensure the\n           availability of that system during a disaster. The mission essential function of the\n           OCIO is to ensure that mission essential systems for the Department and the\n           components are available during a disaster. The loss or disruption of a mission\n           essential system could severely affect DHS operations. DHS\xe2\x80\x99 current policy does\n           not require that all mission essential systems be rated as high. This policy\n           conflicts with NIST FIPS 199 in that FIPS requires that systems be rated at the\n\n\n                                               15\n\nwww.oig.dhs.gov                                                                         OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n           high level if any loss or disruption of the mission essential system could have a\n           severe or catastrophic effect on an agency\xe2\x80\x99s operations.\n\n           Finally, OCIO states that the contingency planning section of the draft report\n           does not accurately portray the Department\xe2\x80\x99s contingency planning activity.\n           According to the OCIO, the report \xe2\x80\x9cindicates gaps in contingency plans, business\n           impact analyses, backup data, alternative location, training, and failover testing\n           that are not fully accurate.\xe2\x80\x9d For example, the OCIO states that we \xe2\x80\x9cdid not\n           recognize any of the contingency training performed for each of the seven\n           systems reviewed and did not credit DHS for the robust backup capabilities of\n           several of the systems.\xe2\x80\x9d\n\n           We do not agree that this section of the report is inaccurate. During this audit,\n           we reviewed contingency plans for seven DHS enterprise mission essential\n           systems managed by the OCIO and/or CBP. We did not review contingency plans\n           for the entire Department. Table 1, DHS Contingency Planning, presents the\n           results of our audit based on our review of the seven enterprise systems, using\n           DHS and NIST requirements as criteria. During the audit, we requested\n           supporting evidence of employees\xe2\x80\x99 contingency training, but we only received\n           two certificates. DHS should train their personnel in their contingency roles and\n           responsibilities with respect to their information systems. Also, we found that\n           four enterprise mission essential systems did not maintain back up data at\n           secure off-site locations due to limited resources and expired contracts. DHS\n           systems owners should establish alternate storage sites including the necessary\n           agreements to permit the storage and recovery of information system backup\n           information.\n\n           Our analysis of OCIO\xe2\x80\x99s response to our recommendations follows.\n\n           Recommendation #1\n\n           The OCIO concurs with this recommendation. The OCIO will consolidate\n           information from the disaster recovery planning efforts and documents that\n           already exist into one Headquarters IT Disaster Recovery Plan. Specifically, the\n           OCIO stated that the following documents will be leveraged to develop the IT DR\n           Plan: OCIO and DHS Headquarters Continuity of Operations Plans, the DHS\n           Resilience Plan, and the Management Directorate Devolution Plan with\n           Component Annex Plans.\n\n\n\n\n                                               16\n\nwww.oig.dhs.gov                                                                         OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n           This recommendation will remain open until the OCIO provides documentation\n           to support that all planned corrective actions are completed.\n\n           Recommendation #2\n\n           The OCIO concurs with this recommendation. The OCIO will coordinate with OPS\n           to update the business impact analysis every 2 years. We agree that the steps\n           OCIO has taken and plans to take will begin to satisfy this recommendation. This\n           recommendation will remain open until the OCIO provides documentation to\n           support that all planned corrective actions are completed.\n\n           Recommendation #3\n\n           The OCIO concurs with this recommendation. The OCIO agrees that policies and\n           processes should be developed that cover automated monitoring capabilities.\n           The OCIO will acquire services to implement automated monitoring capabilities\n           and plans to begin system implementation this fiscal year. OCIO will develop\n           standard operating procedures that cover the newly established monitoring\n           capability.\n\n           We agree that the steps OCIO has taken and plans to take will begin to satisfy\n           this recommendation. This recommendation will remain open until the OCIO\n           provides documentation to support that all planned corrective actions are\n           completed.\n\n           Recommendation # 4\n\n           The OCIO concurs with this recommendation. The OCIO will take steps to ensure\n           that the enterprise mission essential systems contingency plans are updated\n           timely on a continuing basis.\n\n           We agree that the steps OCIO has taken and plans to take will begin to satisfy\n           this recommendation. This recommendation will remain open until the OCIO\n           provides documentation to support that all planned corrective actions are\n           completed.\n\n\n\n\n                                              17\n\nwww.oig.dhs.gov                                                                       OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           Recommendation #5\n\n           The OCIO concurs with this recommendation. The OCIO will direct the systems\n           owners for the cited four enterprise mission essential systems to perform\n           business impact analyses.\n\n           We agree that the steps OCIO has taken and plans to take will begin to satisfy\n           this recommendation. This recommendation will remain open until the OCIO\n           provides documentation to support that all corrective actions are completed.\n\n           Recommendation #6\n\n           The OCIO concurs with this recommendation. The OCIO agrees that maintaining\n           backup data for enterprise mission essential systems is important. They cited\n           other methods of how data are being maintained in lieu of secure offsite\n           location storage arrangements. This recommendation will remain open until the\n           OCIO provides documentation to support that all corrective actions are\n           complete.\n\n           Recommendation #7\n\n           The OCIO concurs with this recommendation. In the response, the OCIO states\n           that they have already identified, established, equipped, staffed, and tested an\n           adequate alternate site for the NOC and SOC.\n\n           We do not agree that the staffing levels at the NOC and SOC are adequate to\n           handle the workload during a contingency event if the primary sites should fail.\n           An alternative location should provide the capabilities of replicating and\n           restoring critical applications and functions in order to resume operations in the\n           event of an emergency. This recommendation will remain open until the OCIO\n           provides a corrective action plan that will address the recommendation.\n\n\n\n\n                                               18\n\nwww.oig.dhs.gov                                                                         OIG-13-110\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           Recommendation #8\n\n           The OCIO concurs with this recommendation. The OCIO acknowledged that\n           documentation to reflect training was not provided to us until after the issuance\n           of our audit report. This recommendation will remain open until the OCIO\n           provides documentation to support that all corrective actions are completed.\n\n           Recommendation #9\n\n           The OCIO does not concur with this recommendation. Although the OCIO agrees\n           with the importance of performing failover contingency testing for enterprise\n           mission essential systems, the OCIO stated that the owner of a mission essential\n           system determines the outage risk and economics of building a fully redundant\n           system. According to the OCIO, if it has been determined that the mission\n           essential system requires full redundancy, the owners procure and implement a\n           robust disaster recovery capability. When it is determined that it is not\n           necessary for their respective systems to be fully redundant, the owners list the\n           system as the top priority for restoration when outages occur, to mitigate risk.\n\n           We do not agree with the OCIO\xe2\x80\x99s comments on this recommendation. During\n           the audit, OCIO did not provide evidence that mission essential systems owners\n           had conducted the required analyses to determine risk and identify redundancy\n           needs. Rather, OCIO provided documentation of the tabletop exercises that had\n           been conducted. These exercises were not sufficient, in that they were mostly\n           discussion-based, and did not involve deploying equipment or other resources.\n\n           According to DHS Sensitive Systems Policy Directive 4300A, a system\xe2\x80\x99s recovery\n           roles, responsibilities, procedures, and logistics in the contingency plan should\n           be used for testing, within a year prior to authorization, to recover from a\n           simulated contingency event at the alternate processing site. Additionally, DHS\n           has a prescribed exceptions policy through which components may request\n           waivers to any portion of the DHS Policy Directive. During the audit, OCIO did\n           not provide evidence that it had waived failover contingency testing for either its\n           systems or components systems.\n\n           This recommendation will remain open until the OCIO provides documentation\n           to support that all corrective actions are completed.\n\n\n\n\n                                               19\n\nwww.oig.dhs.gov                                                                         OIG-13-110\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n   Appendix A\n   Objectives, Scope, and Methodology\n   The Department of Homeland Security (DHS) Office of Inspector General (OIG) was\n   established by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\n   to the Inspector General Act of 1978. This is one of a series of audit, inspection, and\n   special reports prepared as part of our oversight responsibilities to promote economy,\n   efficiency, and effectiveness within the Department.\n\n   The objective of our audit was to determine the Office of the Chief Information Officer\xe2\x80\x99s\n   progress in carrying out its continuity planning roles and developing contingency\n   planning strategies for routine backup of critical data, programs, documentation, and\n   personnel for recovery after an interruption. Specifically, we determined (1) whether\n   disaster recovery and Continuity of Operations Plan capabilities are being used by the\n   DHS departments and components effectively; (2) whether DHS established effective\n   disaster recovery and Continuity of Operations Plan capabilities across selected\n   enterprise systems; and (3) whether any recent disruptions of services have occurred\n   and to what extent did the disruption impact components\xe2\x80\x99 operations.\n\n   We interviewed selected personnel at DHS Headquarters and components\xe2\x80\x99 facilities in\n   Washington, DC; Clarksville, VA; and Stennis Space Center, MS.\n\n   We conducted this performance audit between August and December 2012 pursuant to\n   the Inspector General Act of 1978, as amended, and according to generally accepted\n   government auditing standards. Those standards require that we plan and perform the\n   audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n   findings and conclusions based upon our audit objectives. We believe that the evidence\n   obtained provides a reasonable basis for our findings and conclusions based upon our\n   audit objectives.\n\n\n\n\n                                              20\n\nwww.oig.dhs.gov                                                                       OIG-13-110\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n   Appendix B\n   Management Comments to the Draft Report\n\n                                                                                   U.S. Departo. .nt nrUomeland S""ur;ty\n                                                                                   w..bingtoa, DC 20528\n\n\n                                                                                   Homeland\n                                                                                   Security\n                                                   June 24, 2013\n\n\n       MEMORANDUM FOR:                Frank Deffer\n                                      Assistant Inspector General\n                                      Office ofh1formation Technulugy Audit~\n\n        FROM:                         JimH.Crumpacker~ \\II~\n                                      Director                  .......Q..\n                                      D~;:parlro~;;uta l GAO"   G Liaison 0 fice\n\n       SUBJECT:                       OIG Draft Report: "DHS Needs to Strengthen Information\n                                      Technology Continuity and Contingency Plaw1ing Capabi liti~:~"\n                                      (Project No. 010-12- 164-TTA-OHS)\n\n       Thank you for the opportunity to review and comment on this draft report. The U.S. Department of\n       Uomeland Security (DHS) appreciates the Office oflns pector Gt:neral\'s (OIG\'s) wurk in planning and\n       conducting it<> review and issuing this report.\n\n       DHS is pleased to note O JG\'s acknowledgement that the Department has made progress toward\n       implementi ng t:lfective d isaster recovery capabililies at Lhe data centers. However, the DHS Office\n       of the Chief Information Officer (OCIO) does not agree with the OlG \'s overall assessment that\n       \xe2\x80\xa2\xc2\xb7 ... inadequate continuity and contingency planning leaves the Department vulnerable in the event\n       of an emergency." OCIO is concerned that 010 apparently did not appropriately con~idt:r the many\n       information technology (IT) disaster recovery capabilities, documentation, and testing, that when\n       taken together, comprise a robust disaster recovery capability that has proven itself repeatedly\n       during several r ecent disaster events. For example:\n\n          \xe2\x80\xa2   OCIO, in cooperation with the DHS Office of Operations Coordination and Planning (OPS),\n              has established continuously operable IT services and a permanent IT support team at its\n              alternate site.\n\n          \xe2\x80\xa2   OPS has also established back-up capability for the) at the Headquarters (IlQ) alternate site\n              for use in times of emergency or primary system failure.\n\n          \xe2\x80\xa2   A well-established Emergency Response Group staff (ERG) aJso is available to activate\n              alternate systems with detailed and docwnented procedures.\n\n          \xe2\x80\xa2   The Management Directorate (MGMn bas established and documented comprehensive\n              devolution capabilities, which include [T services, in partnership with Components, as\n              secondary alternate sites. if the primary alternate fa cility is not available for any reason.\n\n\n\n\n                                                                    21\n\nwww.oig.dhs.gov                                                                                                            OIG-13-110\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n\n      These capabilities are tested, most notably during all annual National Level Exercises (NLEs) 1, as\n      well as during special events. The capabilities were made known to the OIG audi t team during the\n      course of the audit and represent sound continuity and contingency planning, as well as\n      demonstrable operational testing of an HQ IT disaster recovery capability.\n      OCIO also disagrees with OIG\'s suggestion that a ll DIIS Mission Essential Systems (MESs)\n      avai lability ratings should be changed to "high" despite the results of the assessment that the\n      systems performed in accordance with National Institute of Standards and Technology, Federal\n      Information Processing Standard- (FIPS-) 199 instructions. It also is important to note that the\n      OIG\'s suggestion conflicts with DHS policy. Specifically, DHS Sensitive System Policy\n      Directive 4300A requires that FIPS- 199 be used to determine the sensitivity level for\n      confidentiality, integrity, and avai lability of the system as the first step in authorizing an IT\n      system. The DHS policy clearly identifies the degree of contingency capability that is required\n      on the basis of t he rating determ ined by completing the FIPS assessment.\n      Beyond DHS \'s current sensitive system policy, OCIO has undertaken a robust and documented\n      effort to identify MESs, and having deve loped an MES list and accompanying list maintenance\n      processes, is reconcili ng MES information with system accreditation records. TheMES list was\n      developed to aid in reporting and monitoring the health of DHS-wide IT services, and listing\n      systems without a " High Availability" rating on the MES list does not necessaril y represent a\n      policy shortcoming. For a given system, justifiable criteria exist in th e form of accepted\n      recovery time/point objectives that do not warrant the investment in contingency capabilities that\n      a formal High Availability rating implies.\n      The contingency planning section of the draft report also does not accurately portray the\n      Department\' s comprehensive contingency planning activity. The report indicates gaps in\n      contingency plans, Business Impact Analysis (B IA), back-up data, alternate location, training, and\n      failover testing that are not full y accurate. For example, O IG did not recognize any of the\n      contingency training perfom1ed for each of the seven systems reviewed and did not credit DHS for\n      the robust back-up capabi lities of several of the systems\n\n      The draft report cont ai ned nine recommendations, eight with which the Department concurs and\n      one with which it non-concurs. Specifically, OIG recommended that the DHS Chief Information\n      Officer:\n\n      Recommendation 1: Develop a Headquarters Information Technology Di saster Recovery Plan\n      for the transition of its headquarters critical infonnation systems and communications assets\n      from its primary location to the alternate location, as instructed in the DHS Continuity of\n      Operations Plan.\n\n      Response: Concur. OClO will consolidate information from the extensive disaster recovery\n      planning efforts an d documents that already exist into one HQ IT Disast er Recovery (DR) Plan.\n      Specifically, the following existing documents will be leveraged to develop the DR Plan: OC IO\n      and DHS HQ Continuity of Operations Plans, the DHS Resilience Plan, t he MGMT Devolution\n      Plan with Component Annex Plans, and various Concept of Operations and training\n\n      1\n       N LEs are congressionally mandated preparedness exercises designed to educate and prepare participants for\n      potential catastrophic events.\n\n\n                                                                                                                    2\n\n\n\n\n                                                                22\n\nwww.oig.dhs.gov                                                                                                         OIG-13-110\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n\n\n     documentation that were provided to OIG during the course of the audit. Estimated Completion\n     Date (ECD): March 31,201 4.\n\n     Recommendation 2: Perform a business impact analysis of the Office of the Chieflnformation\n     Officer\'s mission essential function and update it every 2 years in accordance with Federal\n     Continuity Directive 2.\n\n     Response: Concur. OCIO will coordinate with OPS to update the business impact analysis of\n     OCIO\'s mission essential function every 2 years in accordance with Federal Continui ty Directive\n     2. ECD: June 30,20 14.\n\n     Recommendation 3: Develop policies and processes for monitoring the availability of all DHS\n     mission essential systems.\n\n     Response: Concur. Monitoring is being performed at the Component level and by service\n     providers forMES . OCIO agrees, however, that policies and processes should be developed that\n     cover automated monitoring capabilities. The IT Services Office of OCIO is presentl y acquiring\n     services to implement automated monitoring capabilities and plans to begin system\n     implementation no later than September 30, 2013. OCIO will develop standard operating\n     procedures that cover the newly established monitoring capability. ECD: December 31 , 20 13.\n\n     Recommendation 4: Update mission essential systems contingency plans regularly.\n\n     Response: Concur. MES contingency plans are updated annually within DHS Information\n     Assurance Compliance tools (i.e., The Trusted Agent Federal Information Security Management\n     Act) as required by DHS IT policy 4300A. Although some plan updates were not uploaded in a\n     timely manner, OCIO has since updated those contingency plans and will make timely updates\n     on a continuing basis. These updated plans are now in place and are available for OlG review.\n     We request that this recommendation be considered resolved and closed.\n\n     Recommendation 5: Prepare business impact analyses for enterprise mission essential systems.\n\n     Response: Concur. The National Institute of Standards and Technology (NIST) Special\n     Publication 800-34 Revision 1: Contingency Planning Guide for Federal Information Systems\n     states that the Information System Contingency Plan (ISCP) Coordinator is responsible for\n     conducting the BIA on an information system. The ISCP Coordinator is typicall y a functional or\n     resource manager within the organization. On the basis of guidance in N IST 800-34 and DHS\n     Sensitive Systems Policy Directive 4300A, the owner of the mission essential system is\n     responsible for conducting the BIA. The DHS CIO will direct MES owners to perform BIAs for\n     the four MESs identified in the OIG audit as not having prepared BIAs. ECD: March 31, 2014.\n\n     Recommendation 6: Develop and implement a process to maintain back-up data for enterprise\n     mission essential systems.\n\n     Response: Concur. OCIO argues that maintaining back-up data for enterprise mission essential\n     systems is important and notes that a process for maintaining such data already exists.\n\n\n\n                                                                                                   3\n\n\n\n                                                       23\n\nwww.oig.dhs.gov                                                                                         OIG-13-110\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n\n\n      Specifically, as recognized in the report, DHS maintains back-up data fo r three of the seven\n      mission essential systems. As fo r the four others reviewed their data are also backed up, as\n      appropriate, and described below.\n\n     T he DHS network is a transport that does not save or store data. lt is principally a service\n     provided by two diffe rent carriers through their Multiprotocol Label Switching (MPLS) service,\n     thus the concept of a system back-up is not applicable in the same sense as implied in the report.\n     Back-up is accomplished through this MPLS service, which is procured with stringent service-\n     level agreements from two carriers as a key resiliency feature. To t he lim ited extent that the\n     network entails Government-controlled equipment assets resident in the data centers, back-ups\n     are regularly performed. The Network Security Plan describes the process for both the back-up\n     plans.\n\n     Other systems similarly rel ies on two carriers, thus back-up concepts are also not applicable in\n     the same sense as implied in the report. The alternate site serves as the back-up. Systems that\n     rely more heavily on Government-controlled capabilities are resident at data centers, where\n     back-ups arc routinely performed. Given the foregoing explanation, we request that this\n     recommendation be considered resolved and closed.\n\n     R ecommendation 7: Identify and establish adequate alternate faci li ties.\n\n     Response: Concur. DHS has already identified, establ ished, equipped, staffed, and tested (by\n     virtue of active-active operation) an adequate alternate facility. The OIG was provided\n     documentation supporting the existence of the facilities during the audit. While entirely\n     duplicative contingency staffing at the alternate location may seem desirable, it is neither fiscally\n     prudent nor necessary, given that current staiT levels at the alternate site are adequate for\n     immediate disaster coverage and would certainly be bolstered with staff from other locations\n     should long-term operations at the alternate facility be required. We request that this\n     recommendation be considered resolved and closed.\n\n     Recommenda tion 8: Implement contingency trai ning for enterprise mission essential systems.\n\n     Response: Concur. DHS has implemented and is regularly performing contingency training for\n     personnel for the seven systems reviewed in the report. Specifically, data centers have\n     contingency training by individual j ob assignment and function. Other systems have\n     contingency traini ng provided through the TT&E (Testing, Training and Exercise) program,\n     which provides role-based quarterly contingency training. Trai ning has also been provided for\n     network personnel in coordination with the NLEs as tab le-top exerc ises, as well as during the\n     Authority to Operate process. DI IS p lans to continue contingency training via annual table-top\n     exercises and in conjunction with the NLEs.\n\n     OC IO acknowledges that documentation to rencct this training was not provided to OIG until\n     after the issuance ofthis drafi report. Ln the future, OCIO will better document training events as\n     they occur and will be able to provide re lated documentation in a timelier manner.\n\n\n\n\n                                                                                                         4\n\n\n\n\n                                                          24\n\nwww.oig.dhs.gov                                                                                              OIG-13-110\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n\n\n       It is important to note, Component-level system ovmers are directly responsible for funding the\n       operation and mai ntenance of most systems in DHS. This includes provision of fu nds and\n       resources for contingency training in situations where systems are dependent upon enterprise\n       services, such as those that reside at the data centers. OClO partners with system owners to\n       coordinate training and other system operation and mai ntenance acti vities. We request that this\n       recommendation be considered resolved and closed.\n\n       Recommendation 9: Perform fuU fai lover contingency testing for enterpri se mission essential\n       systems.\n\n       Response: Non-concur. The Department agrees on the importance of perfo rming failover\n       contingency testing for enterprise mission essential systems and has implemented failover testing\n       as requi red. As proscribed by NIST guidance, the mission owner o f an MES determines the\n       outage risk and economics of building a full y redundant system. If it has been determined that\n       the YffiS requires full redundancy, the mission owners have procured and implemented a robust\n       disaster recovery capabi lity. For those who have determined that it is not necessary for their\n       respective MES to be fu lly redundant. theMES has been listed as the top priority system for\n       restoration when outages occur to mitigate risk.\n\n       T he Department tests its disaster recovery capabi lity each year during the NLEs and system-by-\n       system fail over testing is performed periodically for all seven of the systems reviewed in tllis\n       report. For example, systems hosted in one DHS data center will have an alternate data center as\n       the failover site. Data is repl icated at the alternate site in real-time. Partial fa ilover te ling was\n       performed in October 2012. and an additional tabletop exercise was held in March 2013.\n\n       T he DHS network and other systems arc fully redundant, with redundant carriers, circuits, and\n       connections. The network infmstructure is replicated at different data centers. Some of the MES\n       reviewed run in a " live-li ve" configuration and are therefore fai lover tested whenever the other\n       point is not reachable. We request that this recommendation be considered resolved and closed.\n\n       Again, thank you for the opportunity to review and comment on this drafi report. Technical\n       comments regarding certai n accuracy. sensiti vity, context and perspective, and editorial aspects\n       of the draft report were previously provided under separate cover. Please feel free to contact me\n       if you have any questions. We look forward to working with you in the fu ture.\n\n\n\n\n                                                                                                              5\n\n\n\n\n                                                             25\n\nwww.oig.dhs.gov                                                                                                   OIG-13-110\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n   Appendix C\n   Disaster Recovery Service Levels 13\n\n\n\n\n   13\n        OCIO IT Services and Hardware Catalog, Volume 9, Summer 2012.\n\n                                                      26\n\nwww.oig.dhs.gov                                                         OIG-13-110\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n\n   14\n     Active-Active is a phrase used to describe a network of independent processing devices where each\n   device has access to a replicated database giving each device access and usage.\n\n                                                     27\nwww.oig.dhs.gov                                                                                    OIG-13-110\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n   Appendix D\n   Major Contributors to This Report\n   Sharon Huiswoud, IT Audit Director\n   Sharell Matthews, IT Audit Manager\n   Beverly Dale, Team Leader\n   Robert Durst, Senior Program Analyst\n   Frederick Shappee, Program Analyst\n   Charles Twitty, Referencer\n\n\n\n\n                                          28\n\nwww.oig.dhs.gov                                                 OIG-13-110\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n   Appendix E\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Information Officer\n   Acting Chief Privacy Officer\n\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                                                29\n\nwww.oig.dhs.gov                                                            OIG-13-110\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'